github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-28 13:51:18 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

DEV: If only one auth provider is enabled allow GET request

Browse Source 
In this case, the auth provider is acting as a SSO provider, and can be trusted to maintain its own CSRF protections.
This commit is contained in:
David Taylor
2019-08-09 14:44:03 +01:00
parent d348368ab6
commit 1a8fee11a0
3 changed files with 16 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
spec/requests/omniauth_callbacks_controller_spec.rb
View File

@ -146,6 +146,14 @@ RSpec.describe Users::OmniauthCallbacksController do
post "/auth/google_oauth2", params: { authenticity_token: token }
expect(response.status).to eq(302)
end
it "should not be CSRF protected if it is the only auth method" do
get "/auth/google_oauth2"
expect(response.status).to eq(200)
SiteSetting.enable_local_logins = false
get "/auth/google_oauth2"
expect(response.status).to eq(302)
end
end
end